Cisco faced a data exposure incident on Dec. 16 when a hacker identified as “IntelBroker” leaked 2.9 gigabytes of files from Cisco’s DevHub platform onto BreachForums, a dark web marketplace. The leaked data reportedly contained source code, certificates, and internal documentation related to various Cisco products such as Catalyst, IOS, WebEx, and Secure Access Service Edge. Despite the severity of the leak, Cisco clarified that the breach was a result of a configuration error rather than an intrusion into its internal systems.
According to Cisco’s reports, the exposed data stemmed from devhub.cisco.com, a platform designed to provide software code, templates, and scripts to developers, partners, and customers. Although much of the content on the platform is deliberately made public, a misconfiguration error during a data migration process inadvertently allowed additional files to be accessed by unauthorized entities. This mistake enabled the hacker to download files that were intended to remain private.
The saga of the Cisco data breach began on Oct. 14 when IntelBroker posted screenshots of the breached files on BreachForums, claiming to have successfully infiltrated Cisco’s systems. In response, Cisco promptly disabled public access to DevHub and launched an investigation to ascertain the extent of the breach. However, Cisco reiterated that the files were not obtained through an internal system breach, but rather through the inadvertent configuration error on DevHub.
Following the investigation, Cisco assured that no internal systems or enterprise environments were breached, and the exposed files did not contain any sensitive information that could jeopardize the company’s products or customer data. The company promptly rectified the misconfiguration error, restored public access to DevHub, and engaged law enforcement and third-party forensic experts to assist in the analysis of the situation. Furthermore, Cisco compiled a list of the downloaded files during the incident and scrutinized their contents for potential risks.
Subsequently, on December 18, IntelBroker leaked 2.9 gigabytes of data on BreachForums, which was purportedly part of a larger 4.5 terabyte data trove. The leaked files included source code in JavaScript and Python, certificates, library files, and internal documentation linked to Cisco products. Cisco acknowledged that some of the exposed files pertained to a specific set of Cisco CX Professional Services customers and duly notified them, provided copies of the relevant files, and offered assistance in assessing any potential risks.
In response to the data breach, Cisco took several proactive measures, including temporarily disabling public access to DevHub, collaborating with law enforcement and third-party forensic experts for analysis, identifying and correcting the misconfigured data migration script, and notifying affected customers while providing support to mitigate risks. Cisco also implemented enhanced measures to prevent similar incidents in the future, such as stricter controls over automation processes, improved monitoring systems for public-facing platforms, and expanded quality assurance testing to detect vulnerabilities before deployment.
Overall, Cisco’s response to the data breach underscores the company’s commitment to addressing cybersecurity incidents promptly and responsibly to safeguard its products, services, and customers. Cisco continues to prioritize cybersecurity measures to prevent future breaches and maintain the trust of its stakeholders.